Security Issue Reporting

The Corda project is committed to the continuous improvement of the security of all aspects of the Corda platform and Corda Network. R3 welcomes collaboration with the security research community in order to remediate vulnerabilities that have been discovered in the Corda platform. We thank you in advance for your contributions to our vulnerability disclosure program.


Coordinated Vulnerability Disclosure Policy


Security vulnerabilities may be published on our website in the form of a security advisory after R3 has conducted an analysis. R3 will coordinate the disclosure of any vulnerability that may affect our customers or partners.

All aspects of this process are subject to change without notice. R3 will make every attempt to coordinate all levels of engagement but cannot guarantee a particular level of response.

By submitting a vulnerability, you agree not to publicly disclose or share the vulnerability with any third party until R3 confirms that the vulnerability has been remediated or you have received written permission from R3 to publish information about the vulnerability.


Expectations


We are committed to working in good faith with the security community. R3 requires that vulnerability submissions are conducted in according to these guidelines:

  • Research is conducted in a manner that protects the property and privacy of our customers and partners
  • Complies with all applicable laws and regulations in the course of your research activities
  • Allow us to work with customers and partners in order to mitigate the issue
  • Provide full details of the vulnerability at the time of disclosure

To protect our customers, we will not publicly disclose or confirm security vulnerabilities until R3 has conducted an analysis of the vulnerability and issued fixes and/or mitigations.


Submitting a vulnerability


Researchers who wish to submit vulnerabilities in the Corda platform and associated services should directly contact the Corda security team at the following email address: security@corda.net.

When submitting a vulnerability, please provide the following details if possible:

  • A description of the vulnerability and the environment in which it was discovered
  • The name, version and configuration of the product or service that is affected
  • Detailed steps that can reproduce the issue
  • An image attachment (optional). Do not attach any video or executable files to your email

Please do not include any identifiable information (name, contact information, or similar information) in your submission.


Response


The security team at R3 will make every effort to acknowledge your email and initiate an investigation as soon as is practically possible. Advisory-class issues may require coordinated disclosure with our customers and partners before being made publicly available.

R3 will make every effort to communicate with you the plan for remediation of any reported vulnerabilities, and may, after receiving approval, publicly acknowledge your efforts on our website.


Legal


At all times while performing security research activities in relation to R3 products and services, including when submitting a Corda Security Vulnerability, you must comply with the Corda Coordinated Vulnerability Disclosure Policy and all applicable laws. If you fail to comply with this policy or any applicable law, you may be subject to civil and/or criminal liability.By submitting a vulnerability to R3, you understand and agree that such submission shall not constitute proprietary information and you grant R3 the unrestricted right to use or exploit such submission and without any obligations with respect thereto of any kind. You must notify R3 if any submission is not your own work or is covered or otherwise constitutes your proprietary information or the proprietary information of any third party.

This policy may be updated to ensure it remains relevant and current with changing technologies, applicable laws and R3 business practices.